No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

our approach is use pulumi.random to generate the password, and put it in a keyvault

also you might want to use an azure ad group instead of a single user as the admin

so that you can add yourslef to it and log in for troubleshooting

ok thanks, I also thought about AD it, but in my case it look as too big overhead. What do you mean by `encrypted pulumi secret` is there any api to add entries to Pulumi.stack.yaml? or generating passwords outside of pulumi and pass to it on `pulumi up` with --secret?

yeah you can do pulumi config to set a secret

and it will make an entry you can retrieve as normal

sorry, you mean to do it with `pulumi config set` command right?

If you want to ceate the secret programmatically, you can use the `pulumi.secret(v)` function and it'll be encrypted in the state file, just like the CLI does. This combines nicely with what Oliver suggested, eg generating it with the random package.

yes, right. it looks like simplest option, thanks